[11.4] SSRF - Scan Internal Ports and GCP/AWS endpoints

21969c4a · Francisco Javier López · John Jarvis · afcbd4ed · 21969c4a · 21969c4a
Commit 21969c4a authored 6 years ago by Francisco Javier López Committed by John Jarvis 6 years ago
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -305,10 +305,10 @@ class Project < ActiveRecord::Base
  
  validates :namespace, presence: true
  validates :name, uniqueness: { scope: :namespace_id }
-  validates :import_url, url: { protocols: %w(http https ssh git),
-                                allow_localhost: false,
-                                enforce_user: true,
-                                ports: VALID_IMPORT_PORTS }, if: [:external_import?, :import_url_changed?]
+  validates :import_url, public_url: { protocols: %w(http https ssh git),
+                                       allow_localhost: false,
+                                       enforce_user: true,
+                                       ports: VALID_IMPORT_PORTS }, if: [:external_import?, :import_url_changed?]
  validates :star_count, numericality: { greater_than_or_equal_to: 0 }
  validate :check_limit, on: :create
  validate :check_repository_path_availability, on: :update, if: ->(project) { project.renamed? }

--- a/app/models/remote_mirror.rb
+++ b/app/models/remote_mirror.rb
@@ -18,7 +18,7 @@ class RemoteMirror < ActiveRecord::Base
  
  belongs_to :project, inverse_of: :remote_mirrors
  
-  validates :url, presence: true, url: { protocols: %w(ssh git http https), allow_blank: true, enforce_user: true }
+  validates :url, presence: true, public_url: { protocols: %w(ssh git http https), allow_blank: true, enforce_user: true }
  
  before_save :set_new_remote_name, if: :mirror_url_changed?
  

--- a/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml
+++ b/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml
+---
+title: Fix SSRF with import_url and remote mirror url
+merge_request:
+author:
+type: security
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -266,6 +266,13 @@ describe Project do
        expect(project2.errors[:import_url].first).to include('Requests to localhost are not allowed')
      end
  
+      it 'does not allow import_url pointing to the local network' do
+        project = build(:project, import_url: 'https://192.168.1.1')
+
+        expect(project).to be_invalid
+        expect(project.errors[:import_url].first).to include('Requests to the local network are not allowed')
+      end
+
      it "does not allow import_url with invalid ports" do
        project2 = build(:project, import_url: 'http://github.com:25/t.git')
  

--- a/spec/models/remote_mirror_spec.rb
+++ b/spec/models/remote_mirror_spec.rb
@@ -24,6 +24,20 @@ describe RemoteMirror do
        expect(remote_mirror).to be_invalid
        expect(remote_mirror.errors[:url].first).to include('Username needs to start with an alphanumeric character')
      end
+
+      it 'does not allow url pointing to localhost' do
+        remote_mirror = build(:remote_mirror, url: 'http://127.0.0.2/t.git')
+
+        expect(remote_mirror).to be_invalid
+        expect(remote_mirror.errors[:url].first).to include('Requests to loopback addresses are not allowed')
+      end
+
+      it 'does not allow url pointing to the local network' do
+        remote_mirror = build(:remote_mirror, url: 'https://192.168.1.1')
+
+        expect(remote_mirror).to be_invalid
+        expect(remote_mirror.errors[:url].first).to include('Requests to the local network are not allowed')
+      end
    end
  end